Vendor description

“BlueSpice free is the free wiki version of BlueSpice, based on MediaWiki and
extends it with lots of useful features, which easen the everyday work with your
wiki. BlueSpice free supports you with its free of cost functions for quality
assurance, process support, administration, editing and security. Just download
it and install BlueSpice!”

The stored cross-site scripting vulnerability exists in the ShoutBox plugin,
which allows users to comment on pages in BlueSpice wiki. The plugin does not
encode either input nor output of user provided content. Submitted payloads are
therefore stored in the database and included in the page in raw format, which
is interpreted by browsers as executable JavaScript code.

By default, BlueSpice security settings require a user to be logged in to use
the ShoutBox. However, the default settings also allow for self registration.

This vulnerability can be leveraged to send a malicious script to an
unsuspecting user. The victim’s browser will execute the script, as it has no
way of knowing that the script should not be trusted. By exploiting this
vulnerability an attacker is able to trick users into unknowingly performing
actions on the attackers behalf.

Proof of concept:

After login, the attacker is able to exploit the vulnerability simply by
posting raw JS code in the ShoutBox comment field. Posting the following code
snippet, will produce a popup box containing the message “Stored XSS”.

<script>alert(“Stored XSS”)</script>

The code is executed by any user visiting the page that contains the comment,
if the ShoutBox is selected.

Vulnerable / tested versions:

The vulnerability has been verified to exist in BlueSpice for Mediawiki Version: 2.23.1, which was the most recent version at the time of discovery.
Vendor contact timeline: